Hi,
Thank you for your reply. I spent a couple of hours on this today with
not much luck. Please find my replies below.
Than check what is blocking port 25. Is it your Debian firewall or
your VPS provider.
There is no VPS provider firewall. The one I can use is disabled. I
asked support if there were any firewall beyond mine and their answer is
no. I should get full access to any port I may need.
On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and
FORWARD. I added explicit ACCEPT rules for testing but did not get
better results.
But everything looks good now, all ports are publicly reachable. I did
send you a test mail and your sever accepted it. (In plaintext but still.)
I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a
shot. It reached your server. It couldn't do it the last time.
Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993.
I can reach all, except for 465. But that is ok because according to
your smtpd.conf the server isn't listening on it.
Here is my smtpd.conf:
pki mail.ivanroth.fr cert
"/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem"
pki mail.ivanroth.fr key
"/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem"
filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
'.*\.dsl\..*' } junk
filter check_rdns phase connect match !rdns junk
filter check_fcrdns phase connect match !fcrdns junk
filter senderscore proc-exec "filter-senderscore -junkBelow 70
-slowFactor 5000"
filter rspamd proc-exec "filter-rspamd"
table aliases file:/etc/aliases
listen on 0.0.0.0 tls pki mail.ivanroth.fr \
filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth
filter rspamd
Your sever greets the world with
220 ivanroth.fr ESMTP OpenSMTPD
which is the wrong hostname, which leads to "opportunistic TLS failed,
downgrading to plain". Try forcing the right hostname:
listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \
filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
listen on 0.0.0.0 port submission tls-require \
hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \
filter rspamd
#listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns,
check_rdns, check_fcrdns, senderscore, rspamd }
#listen on ens3 port submission tls-require pki mail.ivanroth.fr auth
filter rspamd
action "local_mail" maildir junk alias <aliases>
action "outbound" relay helo mail.ivanroth.fr
match from any for domain "ivanroth.fr" action "local_mail"
match for local action "local_mail"
match from any auth for any action "outbound"
match for any action "outbound"
If I'm not mistaken, the last line is redundant. (Without a "from",
"from local" is implied, which intern implies "auth". Which is covered
by the line "from any auth" before it.)
$ nmap localhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
143/tcp open imap
443/tcp open https
587/tcp open submission
993/tcp open imaps
Every port is reachable from the public now. (For me at least.) Only you
can tell if you went overboard with opening up everything.